Which of the following is the most appropriate action an internal auditor would perform during an audit of his organization ' s IT change management process?
A.
Validate that only authorized personnel can migrate changes into the production environment.
B.
Perform a risk assessment to determine the likelihood that risk could occur due to insufficient patch application.
C.
Publish a schedule that lists all approved changes and planned implementation dates.
D.
Update change management processes on a consistent basis to keep up with changing technologies.
During an audit of IT change management, the internal auditor should validate whether only authorized personnel can migrate changes into production. This directly tests segregation of duties, authorization, and production environment protection. Option B may be relevant in a patch management review, but it is narrower and not the most direct change management audit action. Option C is a management activity, not an internal audit responsibility. Option D is also management’s responsibility because internal audit should not update operating processes it may later audit. Effective change management requires proper request approval, testing, migration control, emergency change review, and post-implementation monitoring. Therefore, Option A is correct.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit